HIPAA BREACH RISK ASSESSMENT WORKSHEET

Organization Name: [________________________________]
Assessment Number: [________________________________]
Incident Reference Number: [________________________________]
Assessment Date: [__/__/____]
Assessor Name and Title: [________________________________]

SECTION 1: PURPOSE AND LEGAL FRAMEWORK

1.1 Purpose

This worksheet documents the four-factor risk assessment required by 45 C.F.R. § 164.402(2) to determine whether an impermissible use or disclosure of protected health information ("PHI") constitutes a "breach" requiring notification under the HIPAA Breach Notification Rule.

1.2 Legal Standard

Under the Breach Notification Rule, an impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
2. The unauthorized person who used the PHI or to whom the disclosure was made
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated

1.3 Burden of Proof

Under 45 C.F.R. § 164.414(b), the covered entity or business associate has the burden of demonstrating that all required notifications were made or that an impermissible use or disclosure did not constitute a breach. This assessment must be thoroughly documented and retained.

1.4 Important Notes

• Even if the risk assessment determines a low probability of compromise, the Organization may elect to provide breach notification as a precautionary measure
• The risk assessment must be documented regardless of the outcome
• When in doubt, treat the incident as a breach and notify
• This documentation must be retained for a minimum of six (6) years per 45 C.F.R. § 164.530(j)
• OCR may request this documentation during an investigation or audit

SECTION 2: PRELIMINARY ANALYSIS

2.1 Threshold Questions

Before conducting the four-factor risk assessment, determine whether the incident qualifies as an impermissible use or disclosure and whether any exceptions apply.

Question 1: Did an impermissible use or disclosure of PHI occur?

An impermissible use or disclosure is one that is not permitted under the HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E).

☐ Yes — Proceed to Question 2
☐ No — Document rationale and stop. No breach analysis required.
☐ Under investigation — Proceed with assessment as a precautionary measure

Rationale: [________________________________]

Question 2: Does an exception to the definition of breach apply?

Review the three exceptions under 45 C.F.R. § 164.402(1):

Exception (i) — Unintentional Workforce Access:
☐ The use or disclosure was an unintentional acquisition, access, or use by a workforce member acting in good faith and within the scope of authority
☐ AND the information was not further used or disclosed in a manner not permitted by the Privacy Rule
☐ This exception applies — Document and stop. No breach notification required.
☐ This exception does not apply — Proceed.

Exception (ii) — Inadvertent Disclosure Between Authorized Persons:
☐ The disclosure was an inadvertent disclosure from one authorized person to another authorized person at the same covered entity, business associate, or organized health care arrangement
☐ AND the information was not further used or disclosed in a manner not permitted by the Privacy Rule
☐ This exception applies — Document and stop. No breach notification required.
☐ This exception does not apply — Proceed.

Exception (iii) — Good Faith Belief of Non-Retention:
☐ The covered entity or business associate has a good faith belief that the unauthorized person would not reasonably have been able to retain the information
☐ This exception applies — Document and stop. No breach notification required.
☐ This exception does not apply — Proceed.

Question 3: Was the PHI unsecured?

☐ The PHI was encrypted consistent with NIST standards and the encryption key was NOT compromised — Encryption Safe Harbor applies. No breach notification required. Document and proceed to Section 3 for safe harbor documentation.
☐ The PHI was destroyed consistent with NIST SP 800-88 / HHS guidance — Destruction Safe Harbor applies. No breach notification required. Document and stop.
☐ The PHI was NOT encrypted (or encryption did not meet NIST standards) — Proceed to four-factor analysis.
☐ The PHI was encrypted but the encryption key was also compromised — Proceed to four-factor analysis (safe harbor does not apply).

SECTION 3: ENCRYPTION SAFE HARBOR ANALYSIS (45 C.F.R. § 164.402(2)(iv))

Complete this section if encryption may apply. If encryption does not apply, skip to Section 4.

3.1 Encryption Standards

Per HHS Guidance, PHI is rendered "unusable, unreadable, or indecipherable" through encryption if:

Data at Rest: Encryption is consistent with NIST SP 800-111 (Guide to Storage Encryption Technologies for End User Devices), using algorithms that have been validated under FIPS 140-2 or FIPS 140-3 (e.g., AES-128, AES-192, AES-256).

Data in Motion: Encryption is consistent with NIST SP 800-52 (TLS), SP 800-77 (IPsec VPNs), or SP 800-113 (SSL VPNs), using FIPS 140-2/140-3 validated processes.

3.2 Encryption Assessment

3.3 Encryption Safe Harbor Determination

☐ Safe Harbor APPLIES: The PHI was encrypted consistent with NIST standards, the encryption key was not compromised, and the device was in a state where the encryption was active (powered off or locked). This incident is not a breach under the Breach Notification Rule. Document thoroughly and retain.

☐ Safe Harbor DOES NOT APPLY: The PHI was not encrypted, the encryption did not meet NIST standards, the encryption key was also compromised, or the device was in an unlocked/logged-in state. Proceed to the four-factor risk assessment.

Rationale: [________________________________]
[________________________________]

SECTION 4: INCIDENT SUMMARY

4.1 Incident Details

4.2 Description of Incident

Provide a detailed narrative of what occurred:

[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]

4.3 PHI Involved

Data Format:
☐ Electronic (ePHI)
☐ Paper
☐ Oral
☐ Multiple formats: [________________________________]

Types of PHI Involved (check all that apply):

Number of Individuals Affected: [________________________________]
☐ Exact count ☐ Estimated count

SECTION 5: FOUR-FACTOR RISK ASSESSMENT

Factor 1: Nature and Extent of PHI Involved

Analysis: Evaluate the types of identifiers and clinical information involved, the sensitivity of the information, and the likelihood that the information could be used to re-identify individuals or cause them harm.

5.1.1 Identifiability Assessment:

5.1.2 Sensitivity Assessment:

5.1.3 Volume Assessment:

Factor 1 Risk Rating: ☐ Low ☐ Medium ☐ High

Factor 1 Rationale:
[________________________________]
[________________________________]
[________________________________]

Factor 2: The Unauthorized Person Who Used or Received the PHI

Analysis: Consider the identity and obligations of the unauthorized person and whether that person has the ability or motivation to use the PHI inappropriately.

5.2.1 Identity of the Unauthorized Person:

5.2.2 Motivation and Capability Assessment:

5.2.3 Risk Considerations:

• Lower risk: PHI disclosed to another covered entity or BA with existing HIPAA obligations; PHI disclosed to a known recipient who has returned/destroyed the data; misdirected communication to a wrong patient or healthcare provider
• Higher risk: PHI accessed by a criminal actor, unknown hacker, or threat actor; PHI posted publicly on the internet; PHI disclosed to the media; PHI lost with no ability to identify the recipient; employee snooping with malicious intent

Factor 2 Risk Rating: ☐ Low ☐ Medium ☐ High

Factor 2 Rationale:
[________________________________]
[________________________________]
[________________________________]

Factor 3: Whether the PHI Was Actually Acquired or Viewed

Analysis: Determine whether the PHI was actually accessed, viewed, acquired, or downloaded by the unauthorized person, as opposed to merely having been accessible or potentially exposed.

5.3.1 Evidence of Access or Viewing:

5.3.2 Risk Considerations:

• Lower risk: PHI was contained in an unopened envelope returned to sender; PHI was on a device that was recovered intact with no evidence of tampering; audit logs confirm no access occurred; misdirected fax/email recipient confirmed deletion without viewing
• Higher risk: PHI was confirmed viewed, downloaded, or exfiltrated; no audit logs available to determine access; device lost/stolen and not recovered; data posted publicly; ransomware with confirmed data exfiltration

Factor 3 Risk Rating: ☐ Low ☐ Medium ☐ High

Factor 3 Rationale:
[________________________________]
[________________________________]
[________________________________]

Factor 4: Extent to Which the Risk to the PHI Has Been Mitigated

Analysis: Evaluate the steps taken to reduce the risk that the PHI has been or will be improperly used or further disclosed.

5.4.1 Mitigation Actions Taken:

☐ Unauthorized recipient contacted and confirmed PHI was not viewed, retained, or further disclosed
☐ Written attestation of destruction/return obtained from unauthorized recipient
☐ PHI confirmed returned to the Organization
☐ PHI confirmed destroyed by the unauthorized recipient
☐ Remote wipe executed on lost/stolen device — confirmed successful
☐ Compromised accounts/credentials disabled and reset
☐ Affected systems isolated and secured
☐ Security patches applied to address exploited vulnerability
☐ Enhanced monitoring implemented on affected systems
☐ Law enforcement investigation initiated (may deter misuse)
☐ Confidentiality/non-disclosure agreement obtained from unauthorized recipient
☐ Employee terminated or disciplined for policy violation
☐ Other: [________________________________]

5.4.2 Mitigation Effectiveness:

Factor 4 Risk Rating: ☐ Low ☐ Medium ☐ High

Factor 4 Rationale:
[________________________________]
[________________________________]
[________________________________]

SECTION 6: OVERALL RISK DETERMINATION

6.1 Factor Summary

6.2 Overall Determination

Based on the totality of the four-factor risk assessment:

☐ LOW PROBABILITY OF COMPROMISE — The risk assessment demonstrates a low probability that the PHI has been compromised. This incident does not constitute a reportable breach under the Breach Notification Rule. The Organization is not required to provide breach notification.

☐ NOT LOW PROBABILITY (BREACH PRESUMED) — The Organization is unable to demonstrate a low probability that the PHI has been compromised. This incident is presumed to be a breach requiring notification to affected individuals, HHS, and (if applicable) the media and state regulators.

☐ ORGANIZATION ELECTS TO NOTIFY — Although the risk assessment may support a low probability of compromise, the Organization elects to provide breach notification as a precautionary measure.

6.3 Overall Rationale

Provide a comprehensive narrative explaining the overall determination, addressing each factor and how they were weighed together:

[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]
[________________________________]

SECTION 7: COMMON SCENARIO ANALYSES

The following scenarios provide guidance for assessing common types of incidents. Each scenario should still be individually assessed using the four-factor analysis.

7.1 Lost or Stolen Encrypted Laptop

Typical Analysis:
- Factor 1: Depends on types of PHI stored on the device
- Factor 2: Unknown (device lost/stolen to unknown person)
- Factor 3: If encryption was active (device powered off or locked) and meets NIST standards, the PHI may not have been accessible
- Factor 4: Remote wipe capability, device recovery efforts

Key Question: Was the encryption active at the time of loss/theft?
- If the device was powered off or in a locked/hibernation state: full-disk encryption was likely active — encryption safe harbor may apply
- If the device was powered on and logged in: full-disk encryption may not have been protecting the data — safe harbor may NOT apply
- If the decryption key was stored on a separate device or in a separate location and was NOT also compromised: safe harbor is more likely to apply

7.2 Misdirected Fax, Email, or Mail

Typical Analysis:
- Factor 1: Evaluate the types of PHI in the communication (often limited)
- Factor 2: Usually a known, identifiable recipient — another healthcare provider, business, or individual
- Factor 3: Was the communication opened and read? The recipient can often confirm
- Factor 4: Contact recipient, obtain attestation of destruction/return, confirm no further disclosure

Likely Outcome: Often LOW probability of compromise when the recipient is known, confirms non-viewing or destruction, and the PHI was limited in scope. However, if sensitive information (HIV, mental health, substance abuse) was involved and viewed by the recipient, the risk may be higher.

7.3 Employee Snooping (Unauthorized Workforce Access)

Typical Analysis:
- Factor 1: Depends on what records were accessed — may include highly sensitive clinical information
- Factor 2: Workforce member with existing HIPAA obligations — but motivation matters (curiosity vs. malicious intent)
- Factor 3: Audit logs typically confirm exactly what was viewed
- Factor 4: Employee discipline/termination, obtaining attestation that information was not further disclosed

Key Considerations: Employee snooping does NOT typically qualify for the Exception (i) "unintentional workforce access" because snooping is intentional and outside the scope of the employee's work duties. Treat as a presumed breach and conduct the four-factor analysis.

7.4 Ransomware Attack

Typical Analysis (Per OCR Guidance):
- Factor 1: Often involves large volumes of ePHI with multiple data types
- Factor 2: Criminal threat actor with malicious intent — high risk
- Factor 3: OCR position: When ePHI is encrypted by ransomware, it constitutes an unauthorized "acquisition" because the attacker took possession/control of the data, triggering the breach presumption. Additionally, determine whether data was exfiltrated (double extortion)
- Factor 4: Ability to restore from backups; whether attacker access was contained; whether credit monitoring is offered

Key Distinction:
- If ePHI was encrypted at rest (per NIST standards) before the ransomware attack and the encryption key was NOT compromised: the safe harbor may apply to the data at rest. However, if the attacker exfiltrated unencrypted data before encrypting it, the safe harbor does not apply to the exfiltrated copies.
- If ePHI was NOT encrypted before the ransomware attack: presumed breach — notification required unless the organization can demonstrate low probability of compromise.

7.5 Phishing Attack with Credential Compromise

Typical Analysis:
- Factor 1: Depends on what PHI was accessible via the compromised credentials
- Factor 2: Unknown external threat actor (phishing attacker) — high risk
- Factor 3: Determine whether the compromised email account or system was actually accessed by the attacker (review login logs for unusual IPs, times, locations)
- Factor 4: Password reset, MFA implementation, account monitoring, forensic review of accessed emails/records

Key Question: Was the email account or system accessed from an unauthorized IP address or location after the credentials were compromised? If forensic evidence shows no unauthorized access occurred, this supports a lower probability of compromise.

7.6 Improper Disposal of Paper Records

Typical Analysis:
- Factor 1: Evaluate the types and volume of PHI in the records
- Factor 2: Unknown — records may have been accessible to anyone
- Factor 3: Were the records actually viewed by unauthorized persons? Often unknown
- Factor 4: Were the records recovered? Was the disposal site secured? Was a shredding vendor engaged to retroactively destroy the records?

Key Consideration: Paper records containing PHI must be rendered unreadable through shredding, burning, pulping, or pulverizing to qualify for the safe harbor. Simply placing records in a dumpster or recycling bin does NOT qualify.

7.7 Verbal Disclosure in Waiting Area or Public Space

Typical Analysis:
- Factor 1: Usually limited in scope (name, condition, or appointment)
- Factor 2: Other patients or visitors in the area — usually unknown
- Factor 3: Was the information actually overheard? By how many people?
- Factor 4: Limited ability to mitigate after the fact; can implement future safeguards

Key Consideration: Most verbal disclosures in clinical settings are permissible under the incidental use and disclosure provisions (45 C.F.R. § 164.502(a)(1)(iii)) if reasonable safeguards were in place. However, if the disclosure was clearly impermissible (e.g., discussing a patient's sensitive diagnosis loudly in a crowded waiting room), it should be assessed as a potential breach.

SECTION 8: LIMITED DATA SET ANALYSIS

8.1 Limited Data Set Considerations

A limited data set under 45 C.F.R. § 164.514(e) excludes the following direct identifiers:
- Names
- Postal address information (other than town, city, state, and zip code)
- Telephone numbers, fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs, IP addresses
- Biometric identifiers
- Full-face photographs and comparable images

If only a limited data set was involved:

While a limited data set is still PHI (and therefore subject to the Breach Notification Rule), the reduced identifiability is a significant factor in the Factor 1 analysis. The risk of re-identification and harm is generally lower when the PHI constitutes only a limited data set.

☐ The PHI involved constitutes a limited data set
☐ The PHI involved includes direct identifiers beyond a limited data set

SECTION 9: WORKFORCE MEMBER ATTESTATION TEMPLATE

9.1 Attestation of Non-Disclosure/Destruction

Use this template when an unauthorized recipient (such as a workforce member who accessed records outside their scope, or an unintended recipient of a misdirected communication) needs to attest that they did not retain or further disclose the PHI.

ATTESTATION OF NON-DISCLOSURE AND DESTRUCTION/RETURN

I, [________________________________], hereby attest to the following:

1. On or about [__/__/____], I [received / accessed / viewed] protected health information belonging to [________________________________] (the "Organization") or its patients.

2. ☐ I did NOT view, read, or review the contents of the protected health information.
   ☐ I viewed the protected health information, but I did NOT copy, photograph, record, or otherwise retain any of the information.

3. I have NOT disclosed, shared, forwarded, posted, or otherwise made available the protected health information to any other person, entity, or platform.

4. ☐ I have returned all copies of the protected health information to the Organization.
   ☐ I have permanently destroyed all copies of the protected health information in my possession (including electronic copies, printouts, photographs, and any other form).
   ☐ I did not retain any copies of the protected health information.

5. I understand that unauthorized use or disclosure of protected health information is a violation of federal law (HIPAA) and may subject me to civil and/or criminal penalties.

6. I will cooperate fully with any investigation by the Organization regarding this incident.

Attestor:
Name: [________________________________]
Title/Relationship: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Witness:
Name: [________________________________]
Title: [________________________________]
Signature: ______________________________
Date: [__/__/____]

SECTION 10: RISK ASSESSMENT DECISION FLOWCHART

Follow this flowchart to guide the breach determination process:

START: Potential incident involving PHI
|
v
Did an impermissible use or disclosure of PHI occur?
| |
NO YES
| |
v v
Document and stop. Does an exception apply?
No breach analysis (§ 164.402(1)(i)-(iii))
required. | |
YES NO
| |
v v
Document and Was the PHI
stop. Not a "unsecured"?
breach. | |
YES NO (encrypted
| per NIST / destroyed
v per NIST SP 800-88)
Conduct |
Four-Factor v
Risk Assessment Safe harbor applies.
| Document and stop.
v Not a reportable breach.
Low probability
of compromise?
| |
YES NO
| |
v v
Document BREACH PRESUMED
thoroughly. Notification required:
No breach - Individuals (§ 164.404)
notification - HHS (§ 164.408)
required. - Media if 500+ in
(May elect state (§ 164.406)
to notify - State AGs per
voluntarily) state law

SECTION 11: NOTIFICATION DECISION

11.1 Based on the Risk Assessment, the Following Notifications Are Required:

☐ Individual Notification — Required under 45 C.F.R. § 164.404
- Deadline: 60 calendar days from discovery ([__/__/____])
- Number of individuals: [________________________________]
- Method: ☐ First-class mail ☐ Email (with consent) ☐ Substitute notice ☐ Urgent telephone

☐ HHS Notification — Required under 45 C.F.R. § 164.408
- Track: ☐ Track 1 (500+ individuals, within 60 days) ☐ Track 2 (<500 individuals, annual report by March 1)
- Deadline: [__/__/____]

☐ Media Notification — Required under 45 C.F.R. § 164.406
- 500+ residents of a single state/jurisdiction? ☐ Yes ☐ No
- States requiring media notification: [________________________________]
- Deadline: [__/__/____]

☐ State AG Notification — Required under applicable state law
- States: [________________________________]
- Deadlines: [________________________________]

☐ No Notification Required — Low probability of compromise demonstrated
- Documentation retained: ☐ Yes

☐ Voluntary Notification — Organization elects to notify despite low probability finding
- Rationale: [________________________________]

SECTION 12: LEGAL REVIEW AND SIGN-OFF

12.1 Assessment Prepared By

Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]
Signature: ______________________________

12.2 Privacy Officer Review

☐ I have reviewed this risk assessment and concur with the determination.
☐ I have reviewed this risk assessment and disagree with the determination. See notes below.

Name: [________________________________]
Title: Privacy Officer
Date: [__/__/____]
Signature: ______________________________
Notes: [________________________________]

12.3 Legal Counsel Review

☐ I have reviewed this risk assessment and concur with the determination.
☐ I have reviewed this risk assessment and recommend modification. See notes below.

Name: [________________________________]
Title: [________________________________]
Firm (if external): [________________________________]
Date: [__/__/____]
Signature: ______________________________
Notes: [________________________________]

12.4 Executive Leadership Acknowledgment (for breaches affecting 500+ individuals)

☐ I have been briefed on this risk assessment and the breach determination.

Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]
Signature: ______________________________

SECTION 13: RETENTION REQUIREMENTS

This completed Risk Assessment Worksheet and all supporting documentation must be retained for a minimum of six (6) years from the date of creation or the date when it was last in effect, whichever is later, per 45 C.F.R. § 164.530(j).

Retention Details:

SECTION 14: CROSS-REFERENCE TO RELATED TEMPLATES

This Risk Assessment Worksheet works in conjunction with the following Organization documents:

• HIPAA Breach Response Plan — Comprehensive breach response procedures and notification framework
• HIPAA Security Incident Response Plan — Technical incident detection, containment, and recovery
• HIPAA Breach Notification — HHS — HHS breach portal submission guide
• HIPAA Breach Notification — Media — Media notification and press release template
• HIPAA Breach Notification Call Script — Individual notification call procedures

SOURCES AND REFERENCES

1. 45 C.F.R. § 164.402(2) — Four-Factor Risk Assessment for Breach Determination
2. 45 C.F.R. § 164.402(1) — Definition of Breach and Three Exceptions
3. 45 C.F.R. § 164.402(2)(iv) — Encryption and Destruction Safe Harbor
4. 45 C.F.R. § 164.414(b) — Burden of Proof (Covered Entity Must Demonstrate)
5. 45 C.F.R. §§ 164.400-414 — Breach Notification Rule (Complete)
6. 45 C.F.R. § 164.530(j) — Documentation Retention (6 Years)
7. 45 C.F.R. § 164.514(e) — Limited Data Set
8. HHS OCR — Guidance to Render Unsecured PHI Unusable, Unreadable, or Indecipherable (https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html)
9. HHS OCR — Guidance on Ransomware and HIPAA (https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html)
10. HHS OCR — Breach Notification Rule (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
11. NIST SP 800-111 — Guide to Storage Encryption Technologies for End User Devices
12. NIST SP 800-88 — Guidelines for Media Sanitization
13. NIST SP 800-52 — Guidelines for the Selection and Use of Transport Layer Security (TLS)
14. FIPS 140-2 / 140-3 — Security Requirements for Cryptographic Modules

This template is provided for informational purposes only and does not constitute legal advice. All breach risk assessments should be reviewed by qualified legal counsel. The four-factor risk assessment requires professional judgment and a thorough understanding of the specific facts and circumstances of each incident. HIPAA compliance requirements are subject to change based on OCR guidance and regulatory updates.

For use on ezel.ai — a legal template platform for solo practitioners and small firms.